Bold Decisions and New Challenges

The year has just begun, but impactful decisions are already reshaping the privacy landscape. For the first time, the EU’s own General Court has fined the European Commission for breaching its own data protection laws.

Let’s dig into it.

EU Court Fines the European Commission for GDPR Breach

In a January 8 decision, the European General Court set a new precedent by ordering the European Commission to pay damages to an individual for unlawfully transferring data to the U.S. without adequate protections. The court awarded €400 in damages to Thomas Bindl, a plaintiff whose data was unlawfully transferred.

What Happened?

• Bindl’s IP address was transferred to Meta Platforms in the U.S. without sufficient safeguards when he used a Facebook login on a Commission-run site.
• The court found the transfer violated the GDPR due to insufficient safeguards during the transition between the EU-U.S. Privacy Shield and the Data Protection Framework (DPF).

Why It Matters:

• GDPR Applies to Everyone: This is the first time the EU has been fined under GDPR, showing that the rules apply to all, even the EU itself.
• Timing Matters: The data transfer happened before the Data Protection Framework (DPF) was introduced. If it had occurred under the DPF, the outcome might have been different.
• Big Impact for Lawsuits: This case sets an important precedent - unlawful data transfers can result in damages for individuals. Experts believe this could lead to a surge in lawsuits, with €400 in damages growing into millions when multiple people are affected.
• Schrems III: Privacy advocates, like Max Schrems, might use this ruling to bring large class-action cases to EU courts. By paving the way for collective legal actions, this case might fast-track the arrival of "Schrems III" and reshape how data privacy cases are handled.

Italy Fines OpenAI: ChatGPT’s Privacy Practices Under Fire

In a previous newsletter, we predicted that 2025 would bring the first regulatory decisions against AI providers. We didn’t have to wait long - Italy’s Data Protection Authority imposed a €15 million fine on OpenAI at the close of 2024.

What Happened?

Italy’s Data Protection Authority (Garante) imposed a fine and also demanded that OpenAI make corrective measures related to:

• Using personal data to train ChatGPT without proper legal justification.
• Failing to implement age verification for users under 13.

Key Actions Ordered:

• OpenAI must launch a 6-month public awareness campaign in Italy to educate users about its data practices.

Italy's authority, Garante, is one of the EU's most proactive regulators in assessing and enforcing AI platform compliance. Last year it briefly banned the use of ChatGPT in Italy over alleged breaches of EU privacy rules.

While OpenAI has called the €15 million fine “disproportionate” and plans to appeal, Garante emphasized that the penalty reflects OpenAI's cooperative stance during the investigation - implying the fine could have been significantly higher had the company not engaged constructively.

Why It Matters:

• Increased AI Scrutiny: We’re expecting more decisions to come from Data protection authorities.
• Market Impact: The fine may prompt some companies to rethink AI projects.

AI Products Under Review: Meta’s Retreat

Facing regulatory pressures, Meta is killing off its own AI-powered Instagram and Facebook profiles.The company had first introduced these AI-powered profiles in September 2023 but killed off most of them by Summer 2024. However, a few characters remained on the platforms and gained new interest after Meta announced plans to roll out more AI character profiles at the beginning of the year.

While these Meta-generated accounts are being removed, users still have the ability to generate their own AI chatbots. Meta includes a disclaimer on all its chatbots that some messages may be “inaccurate or inappropriate”. However, it’s not clear whether the company is actively moderating these messages or ensuring they comply with policies.

Final Thoughts

These developments signal an evolving privacy landscape where accountability and transparency are becoming non-negotiable. Both companies and regulators are being challenged to set new standards for data protection and AI governance.